• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Exploits & Vulnerabilities › 100 confirmed sites now using the IE vulnerability

100 confirmed sites now using the IE vulnerability

Myantispyware team March 24, 2006     No Comment    

100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. SunBelt analysed one site – www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.

[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

There is no patch available for this exploit. The only way to avoid it is
– turn off Active Scripting
– use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.

Exploits & Vulnerabilities

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

unwanted ads
How to uninstall AthenaSearch app/extension from Mac
customers-info.space pop-ups
How to remove Customers-info.space pop-up scam (Virus removal guide)
unwanted ads
How to uninstall RunningUpdater app/extension from Mac
Nistartedwo.biz
How to remove Nistartedwo.biz pop-ups (Virus removal guide)
Quick Recipes
How to uninstall Quick Recipes Search from Chrome, Firefox, IE, Edge

Follow Us

Search

Useful Guides

How to reset Google Chrome settings to default
Tech Support Scam
Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]
adwcleaner
AdwCleaner – Review, How to use, Comments
Files encrypted by ransomware become useless
How To Recover Encrypted Files (Ransomware file recovery)
Managed by your organization chrome virus
Chrome Managed by your organization malware removal guide

Recent Posts

RealNetworks Products Multiple Buffer Overflow Vulnerabilities
New Internet Explorer vulnerability
Top 10 spyware threats discovered for last 24 hours
Coolwebsearch.info – new site from the Coolwebsearch family
New unpatched vulnerability in the Internet Explorer (mshtml.dll) found

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2020 My AntiSpyware - Free antispyware programs and Spyware Removal Instructions.